Website is securely not secure

I am accessing Pandora via SSL and notice a few icons by the URL. First is the exclamation point in a triangle, indicating the page is not fully secure:

Not Secure

Next to it is a shield? This one says content that is not secure is blocked.

Is Secure

These statements, at least to me, seem to be opposites. Can someone explain this to me? Is my connection secure or not?

Accessed via Firefox 30.0 on Windows 7. I also have HTTPS Everywhere installed.


Solution 1:

This is called a "mixed content" page.

If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted: the unencrypted content is accessible to sniffers and can be modified by man-in-the-middle attackers, and therefore the connection is not safeguarded anymore.

https://developer.mozilla.org/en-US/docs/Security/MixedContent

The statements aren't contradictory, but complementary; and a little confusing perhaps. The first says the page itself isn't fully secure because it contains unencrypted elements (all web browsers will notify you of this), whereas the second notes that these elements have been automatically blocked by Firefox.

If Firefox would not block the unencrypted elements, then strictly speaking the page would not be secure.

(HTTPS Everywhere does not guarantee a secure connection. It will only try to force HTTPS when it's available; if it's not, there's nothing a user/browser can do about that but block the unsecure content.)